Hi, we are using restic latest version 0.12.0 which has go 1.15.8.
bash:/# restic version
restic 0.12.0 compiled with go1.15.8 on linux/amd64
Our scanning tool is reporting a high vulnerability with go 1.1.5.8 related to the below CVE: NVD - CVE-2021-27918 which is fixed in 1.15.9 version of go. we have 30 days to fix this and looking for help in this forum to see if there are any options to fix this or any eta on next release of restic and if that will have go 1.15.9. Thank you!
Seems like. At least go list all shows encoding/xml. I didn’t dig into it but I would guess it is used within some storage backend.
The vulnerability can lead to an infinite loop, so if you are worried about is and not able to re-compile your restic, you should monitor your restic runs to identify such an infinite loop.